Timing Network DDoS Attacks Growing

The United States Computer Emergency Readiness Team (US-CERT) is warning of an increased risk from DDoS attacks that leverage the Network Time Protocol (NTP) to amplify the attack volume.

NTP is a widely deployed Internet protocol that is primarily used as a time-keeping technique for clock synchronization. Simply requesting the time from an NTP server is not, however, what attackers are using to execute DDoS attacks.

Instead, attackers are abusing a feature in NTP that enables administrators to query an NTP server about connected clients and their traffic counts. The query is made via a "monlist" command.

"This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim," US-CERT warns. "Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim."

US-CERT also warns that since NTP traffic is typically considered legitimate, it can be difficult for administrators to block the attack.